How to update timeout of a map element?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
I have a question regarding a very basic thing: How to refresh the map element timeout without recreating that element (i.e. without setting its value again)? 

According to:

https://wiki.nftables.org/wiki-nftables/index.php/Updating_sets_from_the_packet_path

in the case of sets, the update operation can be used:

update @ctrs { ip saddr . ip daddr . th sport . th dport counter }
However, in the case of maps, the update operation requires specifying not only the key, but also value of a map element: 

update @flows { ip saddr . ip daddr . th sport . th dport : rt nexthop }
Such a value can be unavailable in many cases. For example, let's consider the following configuration which caches flows nexthops (aka poor man's flow table): 

table ip x {

    map flows {
            typeof ip saddr . ip daddr . th sport . th dport : ip daddr
            timeout 5s
    }

    set ctrs {
            typeof ip saddr . ip daddr . th sport . th dport
            flags dynamic
            timeout 5s
    }

    chain prerouting {
        type filter hook prerouting priority -300; policy accept;
ip protocol { tcp, udp } dup to ip saddr . ip daddr . th sport . th dport map @flows update @ctrs { ip saddr . ip daddr . th sport . th dport counter } drop 
    }

    chain forward {
        type filter hook forward priority 0; policy accept;
ip protocol { tcp, udp } add @flows { ip saddr . ip daddr . th sport . th dport : rt nexthop } ip protocol { tcp, udp } add @ctrs { ip saddr . ip daddr . th sport . th dport counter } 
    }
}
We can update the @ctrs set in prerouting chain to collect per-flow counters. Elements in this set will expire 5s after last flow packet. However, there is no way to refresh timeouts of @flows map elements. We cannot use rt nexthop here, since it would recreate the entry with current nexthop, which would obviously make our cache no op. As a result, element in @flows map will expire 5s after FIRST packet and the entry would be recreated in forward chain with a new nexthop, which also makes the cache pretty useless.
I see two solutions for this problem. The first one would be to allow update operations on maps to refresh timeouts without specifying element's value: 

update @flows { ip saddr . ip daddr . th sport . th dport }
The second one would be to add a new flag to maps, which would make maps refresh their elements timeout on every hit (map lookup). 

Or there is already some way to achieve this which I missed?

Regards,
Piotr Jurkiewicz
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux